Email Scams

A guide to popular scams and how to stay protected

Email Scams

Emails are considered a popular mode for communication; however, they are also becoming a common tool for cybercriminals to trick individuals into either revealing sensitive info or wiring money. Once the cybercriminals find their “perfect fool,” they will use the info received to either empty the entire bank account or use coercive techniques to destroy reputations.

Email scams can be categorized into various forms.

Types of Email Scams

Phishing: Such scams are becoming very common and fairly easy to execute. All the cybercriminals need to do is send a mass email that appears to be from a legitimate source, such as a bank or a government agency but will actually contain malicious links. Whenever someone takes the bait and clicks on the fraudulent link (these appear to be legitimate with just a word or letter flipped off from the original or any other minor change), they are asked to enter their personal or financial information.

Once the cybercriminals get hold of this information, the ruse is complete and the person’s sensitive info will be used for fraudulent purposes. Such scams are becoming sophisticated now and are quite difficult for humans to spot.

Nigerian Prince scam: These scams were quite popular in the 90s when the internet became a popular medium. These email scams were named  "419 scam," but became more popular as the Nigerian Prince scam as they mostly originated from the country and involved using a Nigerian namesake.

Nigerian scams played on the basic human emotion of “rewards and incentives” and asked people for help in transferring a large sum of money out of Nigeria, promising a huge reward in return. The ruse for these emails was set up as originating from a wealthy Nigerian Prince, who is travelling out of their country and in need of money.

Cybercriminals would ask for “foreign” bank account details so they can transfer the money, and further ask “additional money” needed to cover the costs of taxes, legal fees, or government bribes. Scammers promise to return the money along with the commission.  Once they get hold of the money, they will simply vanish with the funds.

Business email compromise (BEC)/CEO fraud: Such scams are rising every minute and has already cost businesses losses of $2.7 billion, per data from FBI IC3. The average cost of a successful business email compromise attack is more than $125,000! BEC scams involve impersonating the CEO or senior leadership and requesting finance or account teams for a money transfer under the guise of creating an “urgency” ruse.

Lottery and Prize scams: Such scams set easy lures like congratulating people for winning a large prize or lottery and promising to credit the amount directly in their accounts. To implement the “transfer” they ask for details like social security numbers, credit card numbers, or  bank account information, and once they get it from the “victims,” they use it to hack into the accounts and disappear with money.

Know More:

Email Encryption

Encrypted Email

Examples of Email Scams

Cybercriminals are employing novel and unique strategies to scam people. Here is an example of a common phishing scam.

Step 1: A spoofed email is generated from an authentic email ID and is mass mailed to thousands.

Step 2: These spoofed emails inform users that their password is about to expire and urge them to change it. The emails will further create a sense of urgency by adding words like “urgent” or “confidential” in the subject lines and prompts users that if the password isn’t changed within a set timeframe, they will lose access to their account.  

Step 3: In the next step, the users will be asked to click on a “password reset link” which will be redirected to a bogus page with the same look and feel as the authentic page.  On this page, both new and existing passwords are needed. So, once the users add details of their existing passwords, scammers use them  to get control  over the user’s  email or bank account.

This step also has an alternate version. In that, users are led to the actual page for password reset when they click the link while the scammers activate a malicious script in the background that hijacks a user’s session cookie to gain access to the user network.

How to Spot Email Scams

Here are some ways you can identify an email scam:

• If the email address don’t look familiar to you, cross-check with the sender first before clicking on the link.
• Double and triple check the email address itself before responding to the email; you might spot a missing letter.
• Look out for weird spelling or grammatical errors in the email text message. In most of the cases, the recipient is known to you and you’d be familiar with their writing style.
• Be extra vigilant about giving out your confidential personal or financial details on any website.

Ways to Prevent and Avoid Email Scams

There are several ways to prevent and avoid email scams. Here are a few:

• Deploy an email security system to detect malicious attachments, unsafe URLs, and social engineering techniques. Considering today’s sophisticated attacks, the system should be able to customize threat protection based on each user’s unique vulnerability, attack profile, and access privileges
• Use email domain authentication technology such as DMARC to prevent cybercriminals from exploiting your trusted domain to lure users into fake email schemes
• Prevent email account compromise scams with best practices like deploying scanning internal emails and multifactor authentication (MFA)
• Train your employees on the latest phishing tactics. Send regular notifications asking them to be on alert and look out for return email addresses that don’t match the sender’s domain
• Update security patches and fortify your network defenses with antivirus and antimalware software
• Back up data frequently in case you accidentally fall victim to such scams and use the best data recovery tools
• Update your employees’ devices with security patches